Report on incident 2002/11/10 on www.tcpdump.org

Between November 7th and November 10th, there was an intrusion
on lox.sandelman.ca, aka cvs.tcpdump.org. It likely occured thru either Apache+SSL
(openssl was not patched. I thought I'd just turned SSL off), or via openssh.

The attack resulted in the addition of a public key to several SSH
authorized_keys files, including mine.

On November 11th, around 10am a trojan copy of tcpdump 3.7.2 and
libpcap 0.6.2 was installed using my account. This was discovered on November
12th by some Linux users in Houston, and slashdotted that night. I received
notification from an Australian mirror of the furor by phone on Wednesday
November 13th, unfortunately, after I'd just travelled to Atlanta for IETF55.

On the afternoon of November 13th, lox.sandelman.ca was quarantined
- the default route was removed, with selective connectivity enabled for
specific uses. (It is my mail relay/pop mailbox server, afterall)

On November 15th, proper tcpdump.org files were put online again.
The machine remained quarantined until I knew that I'd be home long enough
to watch it.

The machine was upgraded to NetBSD 1.6 on December 2nd and 3rd,
with some additional patches applied already. The default route was restored
on December 3rd at 16:00.

Other machines have been audited and no other situations have been
seen. In general, there were too many eggs on that machine - it made it very
hard to upgrade in a timely manner. There are plans to distribute the work
a little more. These plans are not new - alas.

If there are services (other than list searches, which continue
to be broken) which you expect to have returned, then please let me know.